SWIFT’s Customer Security Controls Framework
SWIFT’s Customer Security Programme (CSP) helps corporates and financial institutions ensure their defenses against cyberattacks are up to date and effective, to protect the integrity of the wider financial network. Before the annual attestation of their level of compliance to SWIFT at the end of the year, users need to compare the security measures they have implemented with those detailed in SWIFT’s Customer Security Controls Framework (CSCF).
The CSCF establishes a set of mandatory and advisory security controls for the operating environment of SWIFT users. These controls are based on industry-standard frameworks, such as NIST, ISO 27000 and PCI-DSS.
Mandatory security controls build on existing guidance and establish a security baseline for the entire user community. SWIFT prioritizes the mandatory controls to set a realistic goal for short-term, tangible security gains, as well as risk reduction.
Advisory controls are optional best practices that SWIFT recommends each user to implement in the operating environment. Over time, controls may change due to the evolving threat landscape, the introduction of new technologies, the evolution of security-related regulations in major jurisdictions, developments in cybersecurity practices, or user feedback. As such, some advisory controls may become mandatory, or new controls may be added.
To support the adoption of the security controls, SWIFT has developed a process that requires users to attest compliance against the mandatory (and optional advisory) security controls. SWIFT requests users to submit an attestation into the KYC Security Attestation (KYC-SA) application. By the end of each year, users must attest compliance against the mandatory (and optional advisory) security controls as documented in the CSCF version that is effective at that time.
CSCF change process
The CSCF is updated yearly in order to deal with new and upcoming threats and to stay up to date with the latest developments in cyber security. SWIFT is following a strict change process that provides customers sufficient time to assess and adopt security measures required. Any changes to the controls will be announced mid-year, with attestation and compliance with the new version of mandatory controls required between July and December of the following year, dependent on the expiry date of the user’s attestation. All new mandatory controls are first introduced as advisory, giving all users at least two cycles to plan, budget and implement any changes.
To further improve the integrity, consistency and accuracy of attestations, it is mandatory to do the assessment independently. This is described in the Community-Standard Assessment process. There are two options to achieve this:
- Independent External assessment, by an independent external organization experienced in cybersecurity assessment, with individual assessors who have relevant security industry certification(s), or
- Independent Internal assessment, by a user’s second or third line of defence function (such as compliance, risk management or internal audit) or its functional equivalent (as appropriate), which is independent from the first line of defence function that submitted the attestation or its functional equivalent. As for external assessors, those undertaking the assessment work should have up-to-date and relevant experience in assessing cyber-related security controls.
The assessment required by SWIFT is not a one off. Corporates would benefit from setting up a yearly cycle for the assessment process where the latest version of the control framework is reviewed and compliance with the changes in the framework can be achieved in time. The completion of the assessment in the KYC-SA tool is the end point of the cycle, not the beginning. Zanders can help to streamline this process, assist in evaluating the controls in the framework and perform the external assessment. Don’t wait until December. Start now!